Blocking .exe files via Web filtering not working

I have updated our end point policy on the sophos admin center via the cloud.

I have blocked .exe files via policy, but it does not work. Users can still open .exe files downloaded from the internet. I have updated the software via the pc and pushed update from the cloud to end point(pc) but no good. Restarted few times, still the same.

I have  verified that the website listed here is blocked: http://sophostest.com/malware/index.html.

Anyone got an idea as to why ? 

Parents
  • I think I found my answer. If a file is downloaded via https then it can't decrypt the content. Can someone confirm ?

  • The component at the endpoint doesn’t man-in-the-middle the traffic to ‘see’ the content so it does’t know it’s an exe in this case. It can still block/warn sites using the SNI of the SSL ‘client hello,’ so this allows malicious website and site categorisation to work. Download rep, as long as the browser supports ioffice interface will result in the file being scanned and a reputation lookup being made before the browser ‘gives up’ the file to the user. IE, Chrome do support it at least.

    I understand that a replacement web protection component is being worked on that will do inspection at the endpoint. So I don’t think it will be too long before you can do this for HTTPS. Maybe watch the EAP releases for endpoint.

    For now to block file types over HTTPS. You would need to do it at the Firewall/network level. E.g the XG.

    Jak

Reply
  • The component at the endpoint doesn’t man-in-the-middle the traffic to ‘see’ the content so it does’t know it’s an exe in this case. It can still block/warn sites using the SNI of the SSL ‘client hello,’ so this allows malicious website and site categorisation to work. Download rep, as long as the browser supports ioffice interface will result in the file being scanned and a reputation lookup being made before the browser ‘gives up’ the file to the user. IE, Chrome do support it at least.

    I understand that a replacement web protection component is being worked on that will do inspection at the endpoint. So I don’t think it will be too long before you can do this for HTTPS. Maybe watch the EAP releases for endpoint.

    For now to block file types over HTTPS. You would need to do it at the Firewall/network level. E.g the XG.

    Jak

Children
No Data